DCR Wireless

Pages

Monday, February 11, 2019

Recently AccelTex unveiled their latest product, their Accelerator battery. Although battery
packs are not novel to the world, there are only a few that are designed for
Wireless Site Surveys, which is exactly what the Accelerator was designed for.

Listed at a scant 1.32 pounds, the Accelerators form factor
is perfect for travel. Rather than slogging around with a battery the weight of
a cinderblock, Acceltex has been able to pack the perfect amount of run time
into a nice little form factor. I’ve been comparing its size to people as about
half of a paperback novel. If you want to get technical about it, its 5.3”
long, 3.9” wide, and 1.7” tall.

As for runtime the 7500mAh should provide you with enough
power for almost a full day of surveying. Many of the reports I’ve seen on
Twitter have shown it to provide about 6 hours of power for a modern AP. It also
charges quickly, I found it jumped about 40% during a quick one hour “lunch
charge.” Going from 35% up to 74%. A full recharge will only take 4 hours as
well. Which, all things considered is pretty quick.

The layout of the battery is close to perfect, with only a
few minor quibbles. First, on the right hand side you’ll find two barrel plugs.
One is the charging port while the other is a 12V out. When I asked about the
12V out, AccelTex told me they have used this to power Cradlepoint routers.
Although I’m sure there are a number of other uses as well. Also on the right
hand side, you’ll find the LAN input. On the opposite side of the battery
you’ll find two RJ45 ports on either side of a toggle switch. One is a typical
802.3af/at PoE output, and the second is a 24V PoE output. The 24V was the
first thing that jumped out at me when I started looking at the unit. There are
a few Access Point manufacturers that utilize 24V PoE such as Ubiquiti, as well
as some security camera manufacturers as well. This, coupled with the 12V
barrel output make it a very flexible platform. Nestled between the two RJ45
ports is a simple toggle switch. When in the middle the unit is off. Then, if
you push it towards one side or the other it will turn on the power for the
indicated port (either 802.3af/at or 24V PoE.) On this same side of the battery
you will also find a 5V USB A Output. As you will see in the photos, I was able
to power my WLAN pi through this as well as a Cisco 2702I with no issues. On
the front of the unit is the display. It’s a very simple LCD display with a
battery indicator, and battery percentage. Under the display is a small button
that you can push to toggle the battery percentage to Voltage. That is, if you
can actually push the button.

Right hand side

Left hand side

With all that out of the way, lets delve a bit more into my
thoughts and opinions on the unit. First, a couple of caveats that should be
taken into account. AccelTex was kind enough to supply me with a unit for
testing. They provided absolutely no requirements for me to review, blog, or
even talk about the battery. Further, I was sent one of the first production
units. As such, there were a few concerns I had that AccelTex has already
addressed, but I will still point them out here.

AccelTex includes a nice case (as cases go) with the
battery. It has just enough room for the battery itself, its charging cord and
an additional 12V jumper cable. This will help keep everything together when
travelling. I’ve also already found that it helps me remember to bring along
the charging cable, which by itself is invaluable.

Case - Scratch marks and finger prints show up easily

One of the first things you’ll notice about the unit (and
its case) is the texture and color. Both are fairly sleek, with a matte black
look. However this texture does seem to pick up dust and fingerprints very easily.
When I brought this up with AccelTex they actually mentioned that more often
than not, the battery won’t be “naked” like I’ve had it. But they now have a
form fitting case for the battery that contains connectors and straps so that
you can attach the battery directly to your survey tripod. I have not received
a case yet, but the photos that I’ve seen look great and make it that much more
versatile.

The first thing I did when taking it out of the box was go
to charge it. Well, at least I tried to anyway. The charging cable is only 36”
long. I understand that this may seem like I’m looking for things to be
critical about, but I found this irksome. Due to the great form factor of the
unit, I can see a lot of people leaving these attached to their survey rigs. So
having a longer charging cable that allows you to do so would be fairly
important.

The second thing I did was look at the display. There is
nothing like the nice warm glow of a lit up green LCD. My only concerns with
the display were that it never shuts off, even when the unit is off, which
could lead you to accidently leaving the battery on. As the only indicator that
the battery is on (other than the switch) is the small indicator on the RJ45
port that’s being powered. I also found the button to change from Battery
Percentage to Voltage to be a bit small and hard to push. Although it’s
certainly doable, and quite frankly, how often are you going to need to toggle
between the two?

Gotta love a lit green LCD

In my notes I actually wrote in two different places how I
keep expecting it to weigh more. I don’t know if it’s that the form factor is a
bit “brick-like,” and that’s what makes me think it’s going to be heavier. But
it really is remarkably light for its size.

The last of my nitpicking is with the name itself. I mean, I
get it, it’s a play-off of AccelTex. But… meh. Maybe it’s the fact that there’s
the word "The" in front of it. “The
Accelerator” The same thing annoys me when people say they went to “The Ohio State University.” Also the name
itself (the full name, including “the”) is written on the top of the battery in
what appears to just be just italicized Times New Roman. I suggested that they
rename it the DCR-1, which I think in almost any font would look good. But for
whatever reason they have yet to take me up on that suggestion.

Final thoughts

I think AccelTex really hit it out of the park with this
one. I have a few minor gripes with it, but all in all it’s a great
battery. Especially when you consider that MSRP is only $299.95. With the
addition of the 12V barrel output and 24V PoE, it’s a very versatile solution.
It has a great run time considering its weight and form factor. As well as a
quick recharge time. It’s certainly going to be the platform that I suggest
moving forward.

Friday, March 2, 2018

Mnemonic to help remember: Really Super Powerful Dog Ate Everything***EXAM*** The above
(Shortest to longest) could be on the exam. The below are notes from my CWDP
notes

SIFS (Shortest Inter Frame
Space) - Used with all of the coordination functions. SIFS is the
shortest of the IFS for 802.11-2007. Used prior to ACK and CTS frames. As well
as in between MPDU's of a fragment burst. For 802.11n a shorter IFS (RIFS) was
introduced.

RIFS (Reduced Inter Frame
Space) - Introduced with 802.11n to help
improve efficiency for transmissions that do not require a SIFS to a
single receiver. Such as a transmission burst (CFB-Contention Free Burst.)
802.11n uses RIFS and Block ACK. RIFS is *only* used when Block ACK is enabled.
When Block ACK are used data frames of a CFB can be sent continuously without
stopping for an ACK. At the end of the CFB, the TX STA will send a BAR (Block
ACK Request) and will/should receive a single Block ACK (BA)

DIFS (Distributed Inter
Frame Space) - When a STA wants to transmit a data frame (MPDU) or
a management frame (MMPDU) for the first time in a DCF (Distributed
Coordination Function) network, the duration of the DIFS must be observed after
the previous frames completion. DIFS are longer than SIFS and PIFS.

EIFS (Extended Inter Frame
Space) - EIFS are used by STA's that have received a frame that
contained errors. By using the longer IFS, the transmitting station will have
enough time to recognize the frame was no received correctly before the
receiving station commences transmission. If, during the EIFS duration the STA
receives a frame correctly (regardless of intended recipient), it will resume
using DIFS or AIFS, as appropriate.

- EIFS does
Have a drawback. STA's near to the AP can cause problems for STA's further away
from the AP. This is because STA's close to the AP are using higher data rates,
and as such higher modulation mechanisms. The STA's further away cannot demodulate
these, and due to this interpret it as a corrupted frame. Making it stay quiet
for the EIFS. Providing the near STA's to use DIFS or AIFS and giving it
priority and getting more opportunity to transmit while the far station will
remain quiet.

EIFS (in DCF) = SIFS
+ DIFS + ACK_Tx_Time

EIFS 802.11b/g/n
devices using DSS = 364μS

EIFS 802.11g/n
devices using OFDM = 160μS

EIFS 802.11a/n
devices (5GHz) = 160μS

EIFS (in EDCA) =
SIFS + AIFS[AC] + ACK_Tx_Time

AIFS (Arbitration Inter
Frame Space) - The AIFS shall be used by QoS STAs to transmit
all data frames (MPDUs), all management frames (MMPDUs), and the following
control frames: PS-Poll, RTS, CTS (when not transmitted as a response to the
RTS), BlockAckReq, and BlockAck (when not transmitted as a response to the
BlockAckReq).

The number of slot
times used in the AIFS is called the Arbitration Inter Frame Space Number
(AIFSN). 802.11e specifies 4 access categories (AV_VO : Voice, AC_VI : Video,
AC_BE : Best Effort & AC_BK : Background). Voice & Videocategory use 2
slottimes by default. Best Effort category use 3 slottimes where as Background
traffic use 7 slottimes by default.

Below is the formula
to calcluate AIFS for a given Access Category (AC)

It's important to
remember that these are certifications by the WiFi Alliance and not from the
802.11 standard. This means that they validate that a device uses portions of
the security that 802.11 provides. They both come in two forms, Personal and
Enterprise. Personal is known as Pre Shared Key because it uses a PSK.

WPA has been
depreciated and as such its use should be as well. It used TKIP/RC4 and again,
as such, TKIP/RC4 should no longer be used either.

The Enterprise
version of both WPA and WPA2 both use the 802.1x framework for authentication
and key management. This framework has three primary components.

1.) Supplicant
(Client STA)

2.) Authenticator
(AP or Controller)

3.) Authentication
Server (This is normally your RADIUS server)

The EAPoL protocol
is used for communication between the Supplicant and Authenticator, and RADIUS
is used between the Authenticator and the Authentication Server.

We touched a bit on
these in the "Type" field but this portion of the chapter goes into
them a bit deeper

Beacon Frames - We
touched on these in Chapter 2 as well as other assorted places. These are used
to announce BSS's for STA's that are looking for something to connect to.
Beacons are transmitted (by default) every 100 time units (TU's.) A TU is
typically 1024 microseconds which, when you do the math means that every 102.4
milliseconds a Beacon is being transmitted. Remember that a Beacon frame is
transmitted for *every* SSID being broadcast. As such, the more SSID's you
have, the more Beacon overhead you are creating. Beacon Frames are a Management
Frame and as such, use the Management Frame Format. It should be noted that
Beacon Frames contain a lot of information about the SSID and radio being used
to broadcast it. Some of the most important of this information is the SSID
name itself, the capabilities of the device (there are a few things here) and
supported rates.

Beacons are sent at
a target beacon transmission time (TBTT) which by default is every 100 Tus.
That said, with how heavily utilized the wireless medium is, that target is
often not possible, and the beacon will be sent as soon as possible after the
100 TU's has passed. It's important to remember that Beacon frames have to wait
for the air to be clear before transmission as well.

Beacon filter in
wireshark
wlan.fc.type_subtype == 0x08

To filter beacon
frames *out* of the display use the Wireshark filter

Wlan.fc.type_subtype
!= 0x08

Probe Request and Probe
Response Frames

Remember in active
scanning, a STA will send a Probe Request, which will be answered with a Probe
Response by an AP. If the probe request is sent with a broadcast SSID, any and
all AP's on that channel being probed will respond with a Probe Response. Thus
allowing STA's to quickly gather a view of all of the SSID's available on that
channel.

Probe Request and
Response Wireshark Filter

Wlan.fc.type_subtype
== 0x4 *OR* wlan.fc.type_subtype == 0x5

To filter out Probe
Request/Response Frames

Wlan.fc.type_subtype
!= 0x4 and

Wlan.fc.type_subtype
!= 0x5

Remember that just
because a client is connected does not mean that it will stop probing. Client
roaming algorithms will have a certain threshold where they will begin probing
for a better AP. For example last I knew Apple iOS devices would start their probe
requests at -67dBm. Now that doesn't mean that it will automatically move to
something that’s stronger than -67dBm. That could result in flapping from AP to
AP. Instead it requires the new AP to have a stronger connection of a certain
threshold. In the iOS case (again last I knew) the new AP had to be 8dB
stronger than the AP that the STA is currently connected to. That means that
even if the STA had a -72dBm connection, it wouldnot roam unless the new AP had a signal
strength of -64dBm or stronger. Unfortunately these roaming algorithms are
unique to the devices. So the probing threshold and roaming threshold of each
client may vary. Its important to keep this in mind when designing.

Authentication and
Deauthentication Frames

Authentication
frames are frames used by STA's to enter into the Authenticated State with an
AP. To do so, a STA sends a single frame to the AP, which will answer back with
a single frame of its own. This is the method that WPA2 uses

Deauthentication
frames are used to remove a STA from an authenticated state. This can be done
by either the STA or the AP. Remember that an STA cannot be associated if its
not authenticated

Wireshark filter for
Authentication frames

Wlan.fc.type_subtype
== 0xb

To filter them out

Wlan.fc.type_subtype
!=0xb

Association and
Disassociation Frames

These frames are
used for the STA to enter into an associated state after they have been
authenticated. It's done through a four-frame exchange

-Authentication
request

-ACK

-Authentication
response

-ACK

From this point if
Open System Auth is being used, then the STA can begin to use the network. If
they are using 802.1X, then that process will begin at this point.

Disassociation
frames will remove STA from an associated state, placing it into an
Authenticated not associated state. Disassociation frmaes will include a reason
for the disassociation, a smattering of vendor-specific information, and an
integrity check if/when management frame protection is in use.

Wireshark Filter

Wlan.fc.type_subtype
== 0x0 or 0x1

To filter them out

Wlan.fc.type != 0x0
or 0x1

Reassociation Request and
Response Frames

These are used when
roaming from one AP to another within the same ESS. They can also be used to
reconnect to an AP which the STA was briefly connected. Only if the AP still
has authentication information about the STA however. Request frames contain a
plethora of information.

Wireshark filters

Wlan.fc.type_subtype
== 0x2 or 0x3

To filter them out

Wlan.fc.type_subtype
!= 0x2 or 0x3

Request to Send (RTS) and
Clear to Send (CTS) Frames

These are used to
clear the PHY for the transmission of "larger" frames. When a STA
wants to send a larger frame it sends a RTS. A CTS is used to respond.

Both frame types
include a duration field, which is very important as it lets everyone know how
long the air will be busy. The duration of a request field is made up by the
data *or* management frame duration + CTS duration + one ACK duration + three
SIFS

The CTS response
frame also has a duration that’s measured in microseconds made up of the value
of the duration field of the RTS frame - CTS duration - one SIFS

CTS-to-Self is a CTS
frame that is sent without a RTS frame before it. These frames have the RA
field set as their own address. These are helpful because all STAs within range
will hear the frame and set their NAV timers using the duration field from the
CTS frame. This is made up by the Data or management frame duration + two SIFS
+ one ACK

Wireshark filters
for RTS/CTS frames

Wlan.fc.type_subtype
== 0x1b or 0x1c

To filter them out

Wlan.fc.type_subtype
!= 0x1b or 0x1c

ACK Frames

These are sent to
inform the transmitting device that the frame was received and are sent
immediatily following data and management frames. If an ACK frame is not
returned then the transmitter assumes the frame was lost and will retransmit
the frame. With each retransmission the random backoff timer length is
increased with a maximum of 1023. This maximum backoff timer length keeps STA's
from continuously retransmitting without shifting to a lower data rate. As the
book points out, its fair better to send a frame at 54Mbps and have it be
received than it is to send it five times at 150Mbps before its received.

An ACK frame is a
fairly simple frame. Consisting of only Frame Control, Duration, RA, and FCS
subfields. It actually uses the address of the STA that sent the acknowledged
frame in the RA subfield and not the address of the STA sending the ACK Frame.

Wireshark Filter

Wlan.fc.type_subtype
== 0x1d

To filter them out

Wlan.fc.type_subtype
!= 0x1d

Null Data and PS-Poll Frames

These are used to
notify an AP that the STA is awake and now able to receive frames. These are
called Null Data frames since they are simply a Data frame containing no data.

Wireshark filter

Wlan.fc.type_subtype
== 0x24

PS-Poll is short for
Power Save Poll. These frames are also used to notify the AP that the client is
awake and available for buffered frames. These include an AID.

STAs using power
management will set their PM bit to 1, meaning that it will go in and out of
awake and dozing states. When dozing the AP will buffer any traffic that is
destined for the STA.

Client devices have
a Listen Interval at the end of which the client will wake up and listen for
Beacon Frames. If the client hears a beacon with its AID containing a 1 bit it
will send a PS-Poll frame requesting that the AP send it its buffered data. Which
it will do one frame at a time. If there is more data the More Data bit will be
set to 1. Each time the client will send a new PS-Poll until there are no more
buffered frames at which point the Client STA can return to a sleep state.

Rather than send a
PS-Poll back to the AP to request each individual frame that is buffered,
clients can also flip the PM bit to 0. This will cause the AP to send all of
its buffered data down to the STA as if it was a normal client. Once this
transmission is complete, it will flip its PM bit back to 1 and go back to
sleep. This is *not* a 802.11 standard operation, but is an operation that is
used by many client devices which reduced a lot of unnecessary airtime eaten up
by the PS-Poll frames.

In a WMM Power Save
queue frames are downloaded using a Trigger-and-delivery mechanism. WMM-PS is
set for each AC separately. This allows for more frequent data transmission for
those applications that require them.

Trigger frames are
actually data frames that are ACK'd by the AP. This means that a STA can send
data to the AP while at the same time triggering the delivery of any buffered
frames that the AP may have for the client device.

If the AP has
multiple buffered frames for the client, the AP can send those frames during an
EDCA transmit opportunity that has interleaved ACK's. Meaning that a burst of
frames can be sent down rather than individual.

Management Frames -
These frames are aptly named since they are used to help manage the air. They
do so by announcinginformation
regarding the WLAN, and also have certain actions that they can perform. Below
is a list of management frames and a description to go along with them.

Beacon - This is used by the AP to
advertise information about the BSS

Probe - This is used by clients so
that they can actually find a BSS/SSID to connect to.

Association - A client uses an
association frame to go associate to an AP and therefore start
communicating through it.

Disassociation - The opposite of
association.

Reassociation - If a client is already
associated to an AP, it can reassociate to another AP on the same ESS.

Authentication - These frames come prior to
association and are used to authenticate a STA to an AP.

Deauthentication - The opposite of
authentication.

Action - These frames can trigger
various actions within the cell they are being broadcast on.

Control Frames - You
might be sitting there thinking… wait, whats the difference between Management
and Control. Don't those two words mean vaguely the same thing? Well, you're
not wrong. But you can differentiate it as - Management frames mangage the
WLAN, where Control frames orchestrate the air itself. Take a look at some of
the common Control Frame types below and I think you'll understand what I'm
saying.

ACK - These are your normal ACKs,
acknowledging the receipt of a frame

RTS - Request To Send

CTS - Clear to Send - These frames
are used to clear the PHY for the transmission of another frame.

BlockAckReq
- This is a type
of frame used to request a block ACK

BlockAck - Rather then send an ACK
for every individual frame, a BlockAck can acknowledge multiple frames
that were sent in a row.

Control
Wrapper - These
are frames that include an HT Control Frame while carrying other Control
Frames as well

Data Frames - For the
most part these carry data. They will have a the entire header for whatever
MAC/PHY is being used, and then the MSDU. There are however some "Null
Data" frames, that quite literally mean there is 0 data contained. These
are used for various control functions relating to power management. Further,
there are data frames that do not have QoS and use standard DCF, as well as QoS
Data frames, which utilize EDCA.

PCF Frames - As we've
noted a couple of times, PCF isn't actually in use. However this frame type is
documented in the standard. The book calls out the fact that for the exam you
should know that the 802.11n standard brought with it the ability to use a
CF-End frame to show that despite owning the TxOP it has no more data to send.

Duration/ID - As
implied by its name, this field actually has two purposes. The first is that it
can contain the duration of the frame itself. The duration is used to set the
NAV timer by other clients. The AID is used when PS-Poll frames are transmitted
to tell the AP that the transmitting STA is awake and that it can send any
buffered frames the STA has waiting.

Address 1, 2, 3, 4 -
Depending on if the frame is being transmitted with an IBSS, from an AP to a
STA, STA to an AP, or as part of a mesh network, these addresses can indicated
different things as shown below.

In the table above
RA is the Receiver Address, and DA is the Destination Address. TA is the
Transmitting Address, and SA is the Source Address. It may seem like some of
these are redundant. However remember that the MAC address of the AP radio is
often going to be different than the BSSID. Or in the case of a mesh, the RA is
the next "hop" in the mesh, where the DA is the intended final
recipient of the frame.

Sequence Control -
This is a 16-bit field that’s used to help orchestrate fragmented frames in a
transmission to help alleviate duplicate frames in the case that they arrive.
It's made up of two parts. First is the 4-bit fragment number and second is a
12-bit sequence number. The sequence number remains the same for every
fragmented MSDU, giving each frame making up that fragmented MSDU the same
sequence number *but* a different fragment number. This allows the receiving
device to know what MSDU the frame is from, and if it has already received that
piece of the puzzle and know what order they should go in as sometimes they can
be received out of order. The Sequence numbers start at 0, and for every
fragmented MSDU that needs breaking up and transmitting, it goes up by 1 until
it reaches 4095 and then it just starts again.

QoS Control - This is
another 16-bit field that classifies the frames category for queuing. The first
three bits in this field map to a value of 0 to 7 which signifies the 802.11e
User Priority (UP) for the frame. This field is also called the Traffic
Indicator (TID). Remember that the eight UP's map to the 4 Access Cateories
(AC) set forth by the WiFi Alliances WMM Certification. Also remember that The
lower the number, the lower the priority. For example 1 and 2, are AC_BK (WMM
Background) which is the lowest prioity. Fun fact, the lowest of the numbers
(0) maps to Best Effort which is a step above Background. This is because in
making the mapping, they wanted it to be backwards compatible with non-QoS
devices, but not completely hamstring them just because they weren't QoS
capable.

HT Control - This
16-it field specifies certain HT and VHT capabilities. Such as antenna
selection and beamforming.

Frame Body - This
field contains the actual payload (MSDU) that’s being transmitted. When the
field is encrypted, it will add overhead to the field. Either 20 or 16 bytes of
overhead depending on if TKIP/RC4 (20 bytes) or CCMP/AES (16 bytes) is being
used.

FCS - Frame Check
Sequence - This field is used to detect if there have been issues in the
communication of the frame. A Cyclic Redundancy Check (CRC) is used over the
entire MAC Header and Frame Body. The receiving STA will run a CRC and should
come up with the same FCS to determine if anything has gone wrong during
transmission.

Frame Control - The
first part of the frame is the Frame Control field, and understandably since it
sets a number of incredibly important parameters about the frame. We'll touch
on a the individual fields of the Frame Control field below. First though, here
is a picture of what the Frame Control field looks like and what its components
are.

Protocol Version - This is always set to 00.
This is to indicate if there is an incompatible version, but as of right
now,no incompatible versions exist.

Type - This defines the frame type, whether
the frame is a management, control, or data frame, and what the subtype is.
List of Frame Types and Subtypes are below, along with their associated bits.

Type

Bits

Subtype

Bits

Management

00

Beacon

1000

Management

00

Association
Request

0000

Management

00

Association
Response

0001

Management

00

Authentication

1011

Management

00

Deauthentication

1100

Management

00

Action

1101

Management

00

Action
NO ACK

1110

Control

01

Control
Wrapper

0111

Control

02

Block
ACK Request

1000

Control

03

Block
ACK Request

1001

Control

04

PS-Poll

1010

Control

05

RTS

1011

Control

06

CTS

1100

Control

07

ACK

1101

Data

10

Standard
Data Frame

0000

Data

10

Null
Data Frame

0100

Data

10

QoS
Data

1000

Data

10

QoS
Null Data Frame

1110

To DS/From DS - These are one bit each and
determine where the frame is coming from, and where it is going to. Whether its
going from a STA to an AP, or from an AP and destined for a STA, or, in the
case of an IBSS, going from one STA to another STA.

More Fragments - This subfield indicates
whether the current frame being transmitted is part of a fragmented frame.
Remember that frames can be fragmented if its size is over that of the
fragmentation threshold (default of 2346). Basically it takes a large frame and
breaks it into smaller pieces. Although this can lower speed and add overhead,
it also increases the probability that the frame will actually be received in a
dirty RF environment. Further, if a retry does take place, it will normally
only have to resend a single fragmented frame. Rather than the entire large
frame.

Retry Field - Retries occur when the
transmitting station sends a frame, but does not receive an ACK. It will then
resend the frame (when it can get back on the air) and this resent frame will
have the Retry Field set to 1. This is useful for a number of reasons. For the
receiving device it eliminates duplicate frames. It also has the added benefit
of being helpful in tracking the amount of retries in the environment to see if
there are any issues. A WiFi protocol analyzer will often have a report that
can hone in on this bit to provide you reports on the retry amount/percentage.

Power Management Field - When power management
is used by a STA, this field is set to 1. Indicating the mode that the STA will
be in after if its finished transmitting the frame. With this in mind, AP's
will never transmit with this bit on since they don’t enter Power Save mode.
When an AP receives a frame from an STA with this bit set to 1 it knows that it
needs to buffer subsequent data destined for that STA since it's in a power
save mode. Once the STA wakes up, it will transmit all buffered data down to
it.

More Data - This could also be called the
"STAY AWAKE!" field. When this field is set to 1 it indicates that
the AP has more frames buffered for a STA. Therefore the STA doesn't go to
sleep before receiving all the data the AP has buffered for it.

Protected Frame Field - If the field is set to
1 it means that the MSDU is encrypted. If it is set to 0 it means that there is
no MAC sublayer encryption being used.

Order Field - In a non-QoS Frame this is set
to 1 to indicated that the frame includes an MSDU. It is also set to 1 in a QoS
data or management frame to show that the frame also contains an HT Control
field. This gives HT capable devices the heads up to decode the HT Control
field.